tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Luke" <l...@lukeshannon.com>
Subject Security Questions
Date Tue, 08 Feb 2005 16:31:51 GMT
Hello;

When creating a realm does the table name have to be 'user'?

 <Realm  className="org.apache.catalina.realm.JDBCRealm" debug="99"
        driverName="org.gjt.mm.mysql.Driver"

connectionURL="jdbc:mysql://localhost/tomcatusers?user=dbUser&amp;password=d
bUser"
        userTable="tomcatusers" userNameCol="user_name"
        userCredCol="user_pass" userRoleTable="user_roles"
roleNameCol="role_name" />

With this realm I get a 403, but no login prompt. Before I go through with
recreating the DB and the users I wanted to be sure this was the problem.

Also,  the web.xml in my projects WEB-INF contains the following:

<!-- security -->
<security-constraint>
<web-resource-collection>
<web-resource-name>fw</web-resource-name>
<url-pattern>*.do</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
</security-constraint>

Right now I don't want any one to use a servlet that is not authorized
first. What I was expecting was a standard login prompt with the basic (just
getting a 403 as discribed above). However, once I got BASIC working I
wanted to shift to a custom form login:

<login-config>
<auth-method>FORM</auth-method>
<form-login-page>/loginpage.html</form-login-page>
<form-error-page>/loginpage.html</form-error-page>
</login-config>

Can I do this with the url-pattern of *.do? Or do I need to put an actual
directory? The reason I ask is how will Tomcat find the login pages?

My last question is about this:

<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>

Is it a good idea to have this? I understand it encrypts all data that is
sent to the server. It seems to me that no system should be without. But I
wanted to check with someone more experienced first whether there were
concerns or limitations I am unaware off.

Thanks,

Luke



---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message